This site is intended for health professionals only

At the heart of general practice since 1960

pul jul aug2020 cover 80x101px
Read the latest issue online

Independents' Day

GPs' details included in 500 confidential records lost by CQC

A number of GPs and practice managers who have undergone checks to become their practice’s CQC registered providers have had their confidential personal information lost by the regulator. 

In a serious incident report (SIR) released on Thursday, the CQC announced it had lost 500 ’disclosure and barring service (DBS)’ files - formerly known as CRB checks - which Pulse understands include those from primary medical services.

The files contain details of GPs and practice managers who have applied to be the practice’s CQC lead, including personal information such as their name, and date and place of birth, but also mental health information.

The CQC has written to GPs to apologise and notify them of the data breach, which occured during an office refurbishment.

It comes as the regulator announced earlier this month that practices could expect ‘strengthened’ inspections on their data security processes, as part of an overhaul of how the NHS manages sensitive information.

The CQC report says theft ‘cannot be ruled out’ but believes this is unlikely. However, it concludes the information could cause ‘harm and distress’ should it fall into ‘unscrupulous hands’.

The report highlights that the files were lost when a cabinet was accidentally tagged for removal partly due to a lack of on-site supervision by CQC staff.

CQC chief executive David Behan wrote to affected individuals earlier this week to notify them of the breach, and an independent review of the CQC’s security arrangements has been launched.

A statement on the CQC website says: ‘During a planned refurbishment of its office in Newcastle earlier this month, it appears that a locked filing cabinet containing up to 500 DBS certificates was wrongly marked for removal and destruction.

The SIR report concludes: ‘The root cause of the loss of these documents was the last minute verbal changes to the requirements for the contractors made on 7 July, the lack of adherence to the documented plan and a misunderstanding between CQC staff and the primary contractor team.

‘Should the information contained in the missing folders fall into unscrupulous hands then is has the potential to cause further harm and distress to the individual data subjects.’

There are 38,000 CQC registered managers in England, the majority of whom operate adult social care homes, and they are responsible for ensuring their provider meets CQC standards.

The CQC requests copies of DBS certificates as part of its registration checks. The recent breach relates to applications between July 2015 and March 2016 – an online system was launched in April 2016 which removes the need for paper copies.

Mr Behan said:I would like to apologise to the individuals whose DBS certificates have been lost during the recent refurbishment of our office in Newcastle and for any distress this may cause. I deeply regret that this has happened.’

 

Readers' comments (27)

  • BEHAN MUST DO THE HONOURABLE THING AND RESIGN.
    THIS IS AN OUTRAGE.
    THE CQC MUST NOW BE RATED "INADEQUATE" FOR THIS AND SHUT DOWN.
    OH, I FORGOT, THE REGULATORS ARE THEMSELVES ABOVE ANY FORM OF REGULATION-AT LEAST IT SEEMS TO BE THE CASE.

    Unsuitable or offensive? Report this comment

  • Well they'll be in good company.....

    http://www.pulsetoday.co.uk/political/political-news/hunts-tweeting-of-patient-names-under-consideration-by-information-commissioner/20010604.fullarticle

    What's intriguing is that whenever a government department does something like this it's excused as "human error" and no action taken.... Aren't most of these things human error? Can we stand in front of a FTP panel and say "not my fault guv, it's just human error".
    Oh well, lesson learned. In cases like this there are two rules. One rule for us.........

    Unsuitable or offensive? Report this comment

  • Who inspects the inspectors

    Unsuitable or offensive? Report this comment

  • 8:52 - for any other regulator like GMC or NMC the answer would be the Professional Standards Authority. But for CQC there is no oversight.
    Thoughts?

    Unsuitable or offensive? Report this comment

  • Congratulations CQC, job well done.
    As far as I am aware, there are no terms and conditions for the CQC to fulfill (unlike us).
    About informing the Information Commissioner, it is a job which will be overlooked due to human error.
    Retired GP.

    Unsuitable or offensive? Report this comment

  • The first thing that every affected individual should do is to write a "letter before proceedings" to the CQC advising that this loss is a failure to process their personal data lawfully in accordance with Schedule 1 of the Data Protection Act 1998 (Data Protection Principle 7 - security) and that, consequently, the CQC has a civil liability for damages and compensation under Section 13 of the Act.

    Anyone who can negotiate the GMS contract can certainly issue their own Part 27 County Court proceedings (use moneyclaimonline.gov.uk, it's quick and cheaper than the paper-based process!) and the CQC would be foolish to try to defend the claim. The claim should be the actual cost of replacing the DBS certificate and everything else (S.13(1) damages), plus (say) £100 compensation for the distress of knowing that their personal data could well now be in the hands of a third party (S.13(2) compensation). So, £200-£300 seems about right.

    Go for it... you know that nothing elese will happen to these hypocrites, so at least don't be out-of-pocket... :-(

    Unsuitable or offensive? Report this comment

  • So what they lost confidential data? The political mafia in this country is above the law - they make the law themselves don't they. So who's gonna fish the fat porpoise out of the tank.

    Unsuitable or offensive? Report this comment

  • they admit to having lost this data, what have they lost and not admitted to?
    are they worthy of trust?
    should we refuse to offer them any information?

    Unsuitable or offensive? Report this comment

  • I submitted anonymously, because they are not worthy of trust

    Unsuitable or offensive? Report this comment

  • I too share 532 puzzlement. If this was us , we would have to report this to the ICO and get ready for the inevitable fine. At a time when the CQC has intimated that IG will be a major part of reviews in the future, it does raise doubts on their ability to act as judge and jury.
    One could almost think there was one law for them and one for us but I couldn't possibly comment.

    Unsuitable or offensive? Report this comment

View results 10 results per page20 results per page50 results per page

Have your say